The SDL team here at Microsoft released a couple of new tools recently to help development teams verify the security of their software before they ship. BinScope Binary Analyzer and MiniFuzz File Fuzzer are both being offered as free downloads. The team took the time to make sure that both tools work as stand-alone tools as well as integrated into Visual Studio and Team System.
BinScope is a verification tool that has been used inside Microsoft for several years to help developers and testers confirm they are building their code to use compiler/linker protections required by the SDL. BinScope allows you to scan your code to verify you are setting important security protections such as /GS, /SafeSEH, /NXCOMPAT, and /DYNAMICBASE. In addition it checks to see that you are using .NET strong-named assemblies, good ATL headers, an up-to-date compiler, and not using dangerous constructs such as global function pointers.
MiniFuzz is a simple file fuzzer that is designed to ease your introduction into fuzz testing even if your team has limited security experience. Fuzz testing is a technique whereby you semi-randomly corrupt file formats and attempt to find resulting security exploits and is very effect at finding potential security issues in your code before you ship. This is why fuzzing has become a requirement in the SDL here at Microsoft. Simply provide MiniFuzz with a set of correctly formed files to serve as templates, and MiniFuzz will generate corrupted versions for testing. Any resulting crashes should be carefully investigated and addressed to reduce your software’s attack surface.
Both of these tools are equipped to easily integrate with Visual Studio 2008 Pro as well as Team Foundation Server 2008 and Team System 2008. By installing BinScope as integrated, it can be launched and output results within the Visual Studio IDE. MiniFuzz can be installed as an external tool add-in. Both tools have easy-to-set integration with Team Foundation Server 2008 and compliment the SDL Process Template for VSTS.
Writing secure code is becoming very important to most development teams. I am glad to see the SDL team making these types of tools available to the Visual Studio development community and making it easier to ship more secure code.